[Yandex Cloud documentation](../../index.md) > [Yandex Compute Cloud](../index.md) > [Concepts](index.md) > Encryption

# Encryption in Compute Cloud


By default, all data on Compute Cloud [disks](disk.md) is encrypted at the storage database level using a system key. This protects your data from being compromised in the event of a physical theft of disks from Yandex Cloud data centers. For more information, see [Data protection](../../security/standarts.md#sec-data).

We also recommend encrypting disks, [snapshots](snapshot.md), and [images](image.md) using custom Yandex Key Management Service [symmetric keys](../../kms/concepts/key.md). This approach allows you to:
* Protect yourself against potential threats of isolation breach and data compromise at the virtual infrastructure level.
* Control and manage the encryption and lifecycle of KMS keys. See [Key management](../../kms/operations/key.md).
* Improve data access control for your disk by requiring permissions for KMS keys. See [Configuring access permissions for a symmetric encryption key](../../kms/operations/key-access.md).
* Follow encryption and decryption operations performed using your KMS key with the help of Yandex Audit Trails. See [Key usage audit](../../kms/concepts/index.md#keys-audit).

You can encrypt the following types of disks:
* Network SSD (`network-ssd`)
* Network HDD (`network-hdd`)
* Non-replicated SSD (`network-ssd-nonreplicated`)
* Ultra high-speed network storage with three replicas (SSD) (`network-ssd-io-m3`)

For more details, see [Disk types](disk.md#disks-types).

{% note warning %}

You can specify encryption settings only when creating a disk. You cannot disable or change disk encryption. You also cannot enable encryption for an existing disk.

{% endnote %}

In Compute Cloud, encryption is available from the [management console](https://console.yandex.cloud), [CLI](../cli-ref/disk/create.md), and [API](../api-ref/Disk/create.md).

## Encryption options {#encryption-options}

The table below lists the methods you can use to create encrypted Compute Cloud resources and some features of KMS keys:

| **Target resource** | **Source resource** | **Key** | **Note** |
| --- | --- | --- | --- |
| Empty encrypted disk | —                      | Any       | See [Creating an empty disk](../operations/disk-create/empty.md). |
| Encrypted disk        | Unencrypted image  | Any       | See [Recovering a disk from an image](../operations/disk-create/from-image.md).</br>You can also use an image to</br>encrypt existing [disks](../operations/disk-control/disk-encrypt.md) and [snapshots](../operations/snapshot-control/snapshot-encrypt.md). |
| Encrypted disk        | Encrypted image    | Image key | See [Recovering a disk from an image](../operations/disk-create/from-image.md).</br>You can also use an encrypted</br>image to make a copy of</br>an encrypted disk. |
| Encrypted disk        | Unencrypted snapshot | Any       | See [Recovering a disk from a snapshot](../operations/disk-create/from-snapshot.md). |
| Encrypted disk        | Encrypted snapshot   | Snapshot key | See [Recovering a disk from a snapshot](../operations/disk-create/from-snapshot.md). |
| Encrypted image       | Encrypted disk     | Disk key  | See [Creating an image from a disk](../operations/image-create/create-from-disk.md). |
| Encrypted snapshot      | Encrypted disk     | Disk key  | See [Creating a disk snapshot](../operations/disk-control/create-snapshot.md). |

## Using custom keys {#user-keys}

By using custom KMS keys for disk and snapshot encryption, you can achieve more granular control over access to encrypted data: create custom keys for specific users or tasks, timely deactivate or delete specific keys.

If you deactivate the key used to encrypt a disk, image, or snapshot, access to the data will be suspended until you reactivate the key.

{% note alert %}

If you destroy the key or its [version](../../kms/concepts/version.md) used to encrypt a disk, image, or snapshot, you will irrevocably lose access to the data. For details, see [Destroying key versions](../../kms/concepts/version.md#version-distruct).

{% endnote %}

To use encryption in Compute Cloud, the user must have the `kms.keys.user` or `kms.admin` role for the key used for encryption. These [roles](../../kms/security/index.md#kms-admin) enable you to do the following:

* Create an encrypted disk.
* Create a VM with an encrypted disk.
* Attach an encrypted disk to an existing VM.
* Start and restart a VM with an encrypted disk.

For more information, see [Access management](../../kms/security/index.md).


### See also {#see-also}

* [Data encryption and key and secret management](../../security/standard/encryption.md)
* [Encrypting a disk](../operations/disk-control/disk-encrypt.md)
* [Encrypting an image](../operations/image-control/encrypt.md)
* [Encrypting an image](../operations/snapshot-control/snapshot-encrypt.md)